If you work in New York, then you know what the NYDFS cybersecurity regulation is all about. But for many, it can hard to figure out how each section applies to your organization. Everteam VP of North America, Ken Lownie has been digging into the details of one particular section on the regulation: Section 500.13 – data retention rules. In a webinar, he walked us through this section of the regulation and how you can get your organization in compliance sooner rather than later.
In this post, we’ll recap the key points of that webinar, and then if you want to hear all the details, you can watch it from the link below.
About the Data Retention Requirements
There are 23 sections in the NYDFS regulation; all focused on ensuring information is secure and properly managed. Section 500.13 relates to the secure disposal of non-public information that is longer necessary for business operations or other “legitimate business purposes.”
According to Ken, it all boils down to this:
- You need retention rules set up for different categories of data
- You need to track the age of your data, and
- Upon expiration date, you need a process in place for destroying the data, and you need to retain a record of that destruction.
In an ideal world, you would have time to complete a full information lifecycle plan that includes an information inventory, defining your taxonomy and record series, identifying and associating regulations and defining retention rules. Then you create your policy and processes and implement the plan.
The ideal world is far from the reality most organizations face when they have to deal with changing regulations quickly. You need a faster way to get this done. Ken proposes an agile approach.
An Agile Approach
In the webinar, Ken proposed an agile approach that involves incremental, iterative projects (or sprints), each with its own success criteria and benefits:
- Each sprint focused on one domain of the organization
- Leverages the learning curve effect
- Provides demonstrable progress toward a larger objective
Each project or sprint has four key steps:
- Audit: If you complied with Section 500.3 then you should have your information asset inventory completed. Make sure your inventory includes unstructured repositories across the organization. It should have this level of detail at a minimum: type of information, the location, the owner or curator, whether it includes personal information and if it’s exempt from the retention requirement.
- Cleanse and classify: There are lots to do here: delete your duplicates, create a simple classification scheme, classify based on properties, location, metadata, and textual content, define recordset types using your classification schema, and identify obsolete information.
- Identify retention rules: Identify business and regulatory retention requirements, then define a basic set of rules that meet those requirements and then apply those rules to the identified record set types.
- Apply retention rules & destroy required documents: Implement the plan by applying the retention rules and process information for deletion. Make sure you have a monthly review and approval process in place to review information.
Tools That Can Help
Ken wrapped up the webinar with a discussion on the need for AI tools that can help speed up the indexing and classification of information as well as assigning and applying retention rules. These tools leverage file and content analytics, but also use machine learning and natural language processing to help automate some of the effort and further speed up the process.
You can also watch the entire webinar here: